The Connecticut legislature has improved its data breach notification rule, extending the definition of personal information and reducing the maximum period of time for providing breach notices. The new legislation brings the data breach notification prerequisites in Connecticut consistent with those of other states having updated lately their privacy and security regulations. The current data breach notification regulation was unanimously approved by the Senate and the House of Representatives and is just waiting for the signature of state Governor Ned Lamont.
Connecticut has led the country in data privacy for more than 10 years, and this law makes certain that it will keep on doing so. Since passing one of the country’s first rules that protect individuals from online data breaches, much have changed in technology and risks. Attorney General William Tong states that this legislation guarantees that the present regulations reflect those changing risks and will provide powerful, extensive protection for Connecticut locals.
In the past, notification letters were just necessary for breaches that affected a person’s first name or initial and last name combined with any of the following: driver’s license number, state ID card number, Social Security number, debit or credit card number, or a financial account number along with codes or passwords that could enable account access.
The expanded definition of personal data now includes these data elements:
- Passport number
- Taxpayer identification number
- IRS Identity protection personal identification number
- Military identification number
- Other identification number issued by the government and utilized for identity confirmation
- Medical insurance policy/subscriber number
- Medical data: Medical history, mental or physical health status, diagnoses, and treatment details
- Biometric details employed to validate an individual’s identity: for example, fingerprints, retina or iris image, voice print
- Username or email address when coupled with a password or security Q&A that permits account access
In the past, businesses encountering a personal data breach were expected to send notifications to impacted Connecticut residents as well as the state Attorney General in just 90 days after the breach discovery . That time period is now reduced to 60 days, however, notifications must be released with no unreasonable delay. When it’s not reasonably considered that it is going to be possible to determine impacted people and get contact details in 60 days, it is necessary to make a substitute breach notice.
In case of a breach of login credentials so that an account was accessed, electronic or other sorts of notifications should be given that instruct impacted persons to alter their password or security Q&A, or take optional steps to secure the impacted account.
All entities that are covered by the Health Insurance Portability and Accountability Act (HIPAA) or the HITECH Act are considered to be compliant with the new data breach notification rule when they meet the prerequisites of those regulations.
Any documents or information obtained in association with a security breach investigation is excused from public disclosure, though could be made accessible to third parties at the prerogative of the Attorney General in association with the advancement of an investigation.
The changes to data breach notification regulation in Connecticut is going to be effective starting October 1, 2021 when the state governor signs the bill.